Platform
php
Component
voovi-social-networking-script
Fixed in
1.0.1
CVE-2023-6412 represents a critical SQL injection vulnerability discovered in Voovi Social Networking Script versions 1.0 and 1.0. This flaw allows a remote attacker to inject malicious SQL queries, potentially leading to unauthorized data access and manipulation. A patch, version 1.0.1, has been released to address this security concern.
The SQL injection vulnerability in Voovi Social Networking Script allows an attacker to directly interact with the underlying database. By crafting malicious SQL queries through the photo.php parameter, an attacker can bypass security measures and execute arbitrary commands. This could result in the complete exfiltration of sensitive data, including user credentials, personal information, and potentially even database schema details. Successful exploitation could also lead to data modification or deletion, disrupting the functionality of the social networking script and compromising its integrity. The blast radius extends to all users of the affected script, particularly those storing sensitive information within the database.
CVE-2023-6412 was publicly disclosed on 2023-11-30. While no active exploitation campaigns have been definitively confirmed, the CRITICAL CVSS score and the ease of exploitation via SQL injection suggest a high probability of exploitation if the vulnerability remains unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the simplicity of the attack vector.
Exploit Status
EPSS
0.20% (42% percentile)
CVSS Vector
The primary mitigation for CVE-2023-6412 is to immediately upgrade to version 1.0.1 of Voovi Social Networking Script. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing a Web Application Firewall (WAF) with rules to filter potentially malicious SQL queries targeting the photo.php parameter. Input validation and sanitization on the server-side are also crucial to prevent SQL injection attacks. Regularly review and update database access permissions to limit the potential impact of a successful attack.
Update to a patched version or discontinue use of the script. Due to the (SQL Injection) vulnerability, it is crucial to apply security updates provided by the vendor or migrate to a more secure solution. If no updates are available, it is recommended to stop using the software.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-6412 is a critical SQL injection vulnerability affecting Voovi Social Networking Script versions 1.0 and 1.0, allowing attackers to inject malicious SQL queries via the photo.php parameter.
If you are using Voovi Social Networking Script version 1.0 or 1.0, you are potentially affected and should upgrade immediately.
Upgrade to version 1.0.1 of Voovi Social Networking Script. As a temporary workaround, implement a WAF to filter malicious SQL queries.
While no confirmed active exploitation campaigns are currently known, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation if unpatched.
Refer to the vendor's website or security advisories for the latest information and updates regarding CVE-2023-6412.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.